Forty-three percent of companies surveyed don't take the basic step of classifying
their data into security categories.2

A resource is something that has value to the organization, which if lost or
damaged, would cause a loss to the organization as a whole. Resources are more
than just assets; they include employees, infrastructure, relationships with
customers or partners, and corporate reputation.

All of these resources have security requirements that vary depending upon
the importance of the particular resource. However, before proper security measures
can be applied, the company's resources must be identified and their value and
cost to the company should they be disclosed or destroyed, must be assigned.
A complete inventory of company resources is required to know what the company
needs to protect. All major information resources must be accounted for and
have a designated owner and security classification.

A comprehensive documentation of resources is required to appropriately evaluate
the level of security necessary to protect the organization.

Identifying Resources

The first step is to identify the organization's information resources. This
will determine the scope of the security evaluation. In theory, all of the organization's
information resources would be considered. However, constraints of time, money,
and area of responsibility often limit the evaluation.

The various assets and security processes associated with each individual system
should be identified and clearly defined. The responsible individual for each
information asset and for each specific security process should be agreed upon
and the responsibility documented; authorization or approval levels for any
changes should also be defined and documented.

Every asset should be clearly defined. These include information and processes
as well as physical assets. Often these assets can be put into logical groupings
of closely associated information and processes. These asset groups can then
be managed as a single asset.

Information

Defining information resources at the appropriate level is a task that requires
experience with the information. Data items that are always used together as
a unit of information can be considered a single information resource. It is
safest to evaluate the information at the data element level. After the information
is evaluated, it can be aggregated together to simplify administration. These
aggregates must be clearly defined and equivalent to the sum of their parts.

Algorithms

Many organizations have proprietary processes and information contained in
the algorithms and software which they have created that need to be adequately
protected. In many of the process industries, it is the process more than the
data that is unique and has value to the company. They first need to be identified
and inventoried.

Software

Purchased software is a significant investment for most organizations. It needs
to be accounted for so that if it is stolen an appropriate value can be determined.
Adequate software inventories are also necessary to demonstrate that the organization
is following its contractual requirements as described in the license agreement
for each software package.

Equipment

Physical assets are usually already inventoried and the value and owner for
them defined. Be sure to utilize this existing information when it is available.
However, information system equipment needs to be evaluated for costs associated
with unavailability to be able to create appropriate risk reduction plans.